Red Teaming Terms and Definitions

Who Red Teaming is for?

Well, due to the nature of the red team exercise; generally, it has been built for testing the maturity and readiness (in term of defense) of an organization. So if an organization doesn't have a security process and procedures, no SoC or a mature information security team that covers all or most of the security aspects, then they don't need Ted teaming, yet.

Red team exercise tests overall process people and technology (PPT), whenever they think they exist.


Is Red Teaming more advanced than Penetration testing?

No, it is not.

Is Red Teaming an alternative to Penetration testing?

No, it is not.

Teams Colors

Red Team

Blue Team

Purple Team

White Team

Green Team

Yellow Team

Red team Definitions

APT – Advanced Persistent Threat


Command and Control / C2 – is the influence an attacker has over a compromised computer system they control


is the extraction of information from a target. This is typically through a covert channel.

Indicator Of Compromise (IOC)

are artifacts that identify or describe threat actions.

OPFOR – Opposing Force (OPFOR)

or enemy force typically used by the military in wargaming scenarios.

Operation Impact

An operation impact is the effect of a goal-driven action within a target environment


is an expression of intention to inflict evil, injury or damage.

Threat Emulation

is the process of mimicking the TTPs of a specific threat.


are Tactics/Tools, Techniques, and Procedures


the techniques and procedures of espionage. Tradecraft is typically associated with the intelligence community. TTP and Tradecraft are used interchangeably.

Post Exploitation



the network-based bypass or circumvent technique to access a none accessible or none routable host from the attacker's machine.

Lateral Movement

an operating-system-based technique to access other hosts in the network using stolen credentials, SSO sessions, or tokens to execute or run father actions with or without direct interaction from the attacker's machine.

Assumed-compromised / Assumed-Brach

a starting red team phase that gives the red team an initial foothold in the network. Usually used to shorten the exercise time to avoid the consumed time on the Get-in phase which includes but not limited to, OSINT, Social Engineering, Physical Security bypass, etc.


is a legal cheating procedure that the red team might ask for from the white-team if the team got stuck in a certain phase (note: white-card could be raised even after getting a foothold). White-card generally makes the red team's current or next step as assume-compromised to achieve the exercise's ultimate goal.


Last updated